Today's workplace is a massive nightmare for information technology folks when it comes to security. But by emphasizing consistent, workplace-wide policies and by enforcing reasonable access limits, a company safeguard itself against both internal and external data loss.

Let's discuss a few keys to maintaining a secure workplace.

1. Rule BYOD, don't let BYOD rule you

Most businesses are going to let employees bring their own devices (laptops, tablets, etc.) to do work with. But holding seminars on how to keep private and workplace data is crucial. BYOD hardware must be managed with a clear and consistent policy, with well-defined limits to prevent your IT employees from accessing personal data.

That way if employees do choose to bring devices and their privacy is violated, the liability will lie not with your management, but on the staff member who violated that trust. Likewise, if the employee engages in inappropriate behavior (say viewing adult videos at work) you'll have the analytics to challenge them as necessary.

2. Ban USBs, CD Burning; go to an Internal Cloud

An internal cloud is a much more secure solution than allowing employees to share and transfer files via physical media such as USB sticks or CDs. Not only can such media carry malware, but it can also be used by a malicious employee or person posing as an employee to steal valuable trade secrets from your firm.

If your private cloud is properly designed and firewalled from the external world, it not only will allow you employees to share information more easily, it will also cut off a major source of data loss. Banning physical media is a smart idea and easy to do with today's technology.

3. Adopt the Latest Software

Still kicking around Internet Explorer 7? Kicking it with Windows XP? Quit it.

Old software is a security risk. If it is patched, it is often patched at a sordidly slow pace. And there's typically a lot of it lingering around here and there, so inevitably it's a highly attractive target for malware authors.

We know you loved Windows XP, but it may be time to move on. [Image Source: Microsoft]

While few businesses have the need or resources to upgrade with every single release of Windows and every single new browser release, many should put a bit more effort into staying up to date. And if you're testing software for older browsers or other older platforms with inherent security risks, be sure to isolate them from your other networks. Just ask Google Inc. (GOOG) which saw IE 7 test machines exploited by Chinese hackers to steal data off its network.

Hold an employee seminar and explain how you can make a sentence into a password. A 30 or 40 character long password is very hard to break even with modern GPUs.

Like the sound of that? Do one better by also securely backing the password with the most modern hashing algorithms like SHA-256 or SHA-512. Combined these two techniques will make it virtually impossible to brute force your passwords.

6. Hold Education Seminars on Phishing, Spear-Phishing

Phishing -- sending malicious links inside innocent-looking email messages -- is a huge security risk for every company. Even the best password won't protect you if you go giving it to the wrong web-form. Teach your employees to watch their url bar in their browser and to avoid clicking on email links to access a site, unless they really trust them.

Special care should be taken to prevent spear-phishing -- attempts to target specific high profile catches, such as a CEO/CTO/CFO's login information. You executives may moan and groan, but they're far to valuable to let them fall for such ploys.

Special screening of executive email can help cut down on spear-phishing threats as well. While staff obviously can't hand-screen every email message, it is practical to screen high-level management's messages for clear fraud/spam attempts.

Again a clear-cut policy to protect privacy must be enforced here, to prevent unfortunate incidents.

.......

Following those 6 principles will take some work, but it will be worth it. After all, your firm is only worth as much as its security.

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

quote: Those algorithms are designed to be fast to compute. That is exactly the opposite to what should be used. There are hashes designed for passwords that are computationally intensive and make a brute force attack more (or much more) expensive.

If you salt them with unique, random salts SHA-256/512 are perfectly fine AFAIK.

Feel free to correct me if I'm wrong, master hackers/cryptographers, I am but a humble analyst.

If quantum or organic computing arrives these algorithms will likely be crushed under the speed.

Specifically for passwords, the best method of cracking is using a rainbow table of known passwords, known password patterns (letters + numbers) and dictionary words and combinations (such as replacing o with 0).

Still depends on the Hashing algorithm used in password transmission. With older algorithms like MD4, which use a very short keyspace, you have issues with collision. When you have collision with multiple hashes, you don't have to determine the actual password, only a password that matches the hash, so a unicode password can be hashed and have the same hash value as a straight ASCII password. When that happens, you can often log in with the ASCII password without knowing the unicode one, because most password comparison systems will hash the password you enter before transmission, and the password is never reversed. You get logged in when the system compares the transmitted hash with the hash of the stored password.

Rainbow tables are basically just a distributed brute force. The way a hashed password is cracked is by obtaining the transmitted or stored hash and the attempting to determine the password by hashing every possible combination of passwords and comparing the resulting hash with what was transmitted or is in storage. Rainbow tables are collections of previously hashed words. Rainbow tables are only useful when the entire keyspace of a given hashing algorythm has been discovered. If a password in use has not been previously hashed and stored in a rainbow table, the attacker must resort to brute forcing the remainder of the hash keyspace to get the password. Defense against rainbow tables requires two things, a large keyspace, and a password policy that requires passwords that are complex or long enough to make brute force more difficult. For instance, the entire keyspace for passwords below 7 characters (using all acceptable character sets) utilizing the hashing methods in Windows LanMan has been hashed and the resulting rainbow table can be stored ona single CD. However, NTLM, which replaced LanMan in Windows 2000, is still being hashed against. So far, the tables are above 3 terabytes in length, if i remember correctly. This only covers a minor percentage of passwords below 14 characters using all characters. The reasons for this difference vary. For one, LanMan hashed passwords at 7 character intervals, so a 14 character password generated two hashes. Wiht fewer characters, it is easier to brute force. Second, lanman used a weak hashing algorithm with a short keyspace. This resulted in heavy collision issues, where multiple passwprds returned the same hash, and since password systems work by hashing input and transmitting the hash, if two passwords have the same hash, both passwords will allow login.

To circumvent these issues, NTLM encorporated a longer keyset, stopped splitting hashes, and allowed for passwords that were up to 128 unicode bits in length (different characters have a different bit length. Special characters are longer in unicode than letters and numbers). This means that there is no storgae medium currently capable of storing a rainbow table for the full NTLM keyspace while remaining portable. As technology evolves, this will change, and new methods must be developed for securing passwords. For now, there remains few rainbow tables for passwords beyond 14 characters in length, and the keyspace for password hashes above 18 characters is virtually unexplored.

With all that said, Jason,the recommendation for having users secure their passwords with sha 256 or 512 is not very tenable, since the end user and, usually, the IT organization, cannot control the hashing algorithms used in their systems. Windows only allows passwords to use lanman, ntlm, or ntlmv2, and the hashing algorithm is non variable in a windows organization, which thevast majority of information systems that end users work with use. A tenable recommendation would be to ensure that windows systems are not storing lanman hashes (default operation in all windows since vista), for one, and using passphrases abpve 18 character, for another, 40 character passwords are currently excessive in length and will greatly hamper users that have to use passwords a lot.

Yes, rainbow tables only work for common hashes or hash/salt combinations, but brute force is coming along nicely. Take the Windows password brute force link I posted earlier, for example. It can brute force any NTLM Windows password in 6 hours, given the hash.

In general I wasn't referring specifically to Windows passwords (except the link to show how far brute force attacks have come), but passwords in general.

Right now, there are so many real passwords in the wild, stats have been created about which passwords are the most common, what common patterns are, etc. For example, a large percentage of passwords end in four numbers which decreases the number of brute force attempts for many passwords fitting that pattern. A faster hashing algorithm just increases the speed at which the brute force attempts can be made. Granted, you still need to know the hashing algorithm to brute force, but once that is known a good brute force attack is possible in many cases.

Like you indicated, entropy is your best bet to protect against a brute force attack. The longer the password the more entropy it has, all things being equal.

NTLM hashes are only used when computers aren't a member of a domain. Kerberos uses a different method that is significantly stronger and doesn't rely on Hashing. Domain secured accounts are significantly more difficult to brute force than hashed Passwords. Ultimately, the brute force methods used in that link are useless for determining passwords on a Domain, which basically means that it won't help you get into any real enterprise network. It'll get you into someone's home computer easily enough, or into a local account on a domain joined computer, but getting access to the domain is a lot harder to brute force.